Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de



Similar documents
Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

How to Create a Forefront UAG Portport

Configuring Security for FTP Traffic

Owner of the content within this article is Written by Marc Grote

the client omits the BranchCache identifier from the request message.

RSA SecurID Ready Implementation Guide

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

RSA SecurID Ready Implementation Guide

Owner of the content within this article is Written by Marc Grote

Forefront UAG Monitoring and Network Traffic Control

RSA Security Analytics

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Windows Server on WAAS: Reduce Branch-Office Cost and Complexity with WAN Optimization and Secure, Reliable Local IT Services

Configuring Security for SMTP Traffic

Owner of the content within this article is Written by Marc Grote

Enabling Users for Lync services

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Owner of the content within this article is Written by Marc Grote

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

NSi Mobile Installation Guide. Version 6.2

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

Owner of the content within this article is Written by Marc Grote

GFI Product Manual. Administration and Configuration Manual

Installation and configuration guide

Hyper-V Replica Essentials

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

ISA 2006 Array Step by step configuration guide

Setting Up SSL on IIS6 for MEGA Advisor

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

Network Configuration Settings

Grandstream Networks, Inc. UCM6100 Security Manual

Best Practice Configurations for OfficeScan (OSCE) 10.6

Application Notes for Microsoft Office Communicator Clients with Avaya Communication Manager Phones - Issue 1.1

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

Deploying the BIG-IP LTM with. Citrix XenApp. Deployment Guide Version 1.2. What s inside: 2 Prerequisites and configuration notes

Caching SMB Data for Offline Access and an Improved Online Experience

Edge Configuration Series Reporting Overview

Desktop Surveillance Help

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Configuring Security Features of Session Recording

F-Secure Messaging Security Gateway. Deployment Guide

Deploy Remote Desktop Gateway on the AWS Cloud

7.1. Remote Access Connection

How to configure SSL proxying in Zorp 3 F5

Networking for Caribbean Development

Deploying F5 to Replace Microsoft TMG or ISA Server

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Enable SSL for Apollo 2015

Installation and configuration guide

Introduction to Mobile Access Gateway Installation

Optimal Network Connectivity Reliable Network Access Flexible Network Management

GlobalSCAPE DMZ Gateway, v1. User Guide

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Install and configure server

Configuring Windows Server Clusters

Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition

Integrate Check Point Firewall

INTERNET INFORMATION SERVICES (IIS) IMPLEMENTATION BEST PRACTICES: By: Terri Donahue, Microsoft IIS MVP

Microsoft Lync Server Overview

How to set up popular firewalls to work with Web CEO

Setting up Microsoft Office 365

Proxies. Chapter 4. Network & Security Gildas Avoine

Sophos for Microsoft SharePoint startup guide

Introduction to the EIS Guide

Basic Exchange Setup Guide

IIS Reverse Proxy Implementation

Transport server data paths

How to Logon with Domain Credentials to a Server in a Workgroup

How To Install Powerpoint 6 On A Windows Server With A Powerpoint 2.5 (Powerpoint) And Powerpoint On A Microsoft Powerpoint 4.5 Powerpoint (Powerpoints) And A Powerpoints 2

Managing Qualys Scanners

IBM Security QRadar Vulnerability Manager Version User Guide

Forward proxy server vs reverse proxy server

Outpost Network Security

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Firewall. User Manual

GFI White Paper PCI-DSS compliance and GFI Software products

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Security IIS Service Lesson 6

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Application Notes for Configuring Microsoft Office Communications Server 2007 R2 and Avaya IP Office PSTN Call Routing - Issue 1.0

nexvortex Setup Template

Building the SAP Business One Cloud Landscape Part of the SAP Business One Cloud Landscape Workshop

Kaseya Server Instal ation User Guide June 6, 2008

Inspection of Encrypted HTTPS Traffic

Monitoring Forefront TMG

WHITE PAPER Citrix Secure Gateway Startup Guide

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

TECHNICAL NOTE Stormshield Network Firewall AUTOMATIC BACKUPS. Document version: 1.0 Reference: snentno_autobackup

HP ProLiant Essentials Vulnerability and Patch Management Pack Server Security Recommendations

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Transcription:

Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de Microsoft Forefront TMG Using the BranchCache feature in Forefront TMG SP1 Abstract In this article I will show you one of the new features in Forefront TMG Service Pack 1 called BranchCache in Hosted Mode. Let s begin Forefront TMG SP1 supports configuring the Server as a BranchCache Server in Hosted Mode. BranchCache is not used exclusively with Forefront TMG. BranchCache is a feature first introduced in Windows Server 2008 R2 and Windows 7 which use techniques to reduce the amount of data transferred from the Headquarter to the Branch Office through a WAN link. BranchCache provides two operation modes: Distributed Cache Hosted Cache Distributed Cache The Distributed Cache feature is great for small Branch Office without a dedicated Server. The BranchCache will be distributed between several Windows 7 clients, where every Windows 7 client hosts part of the BranchCache content. Hosted Cache In the Hosted Cache Mode there is a dedicated Server which hosts the cached content of the BranchCache. Every Windows 7 client in the BranchOffice can participate from the central cache in Hosted Cache mode. The Hosted Cache mode operates by deploying a computer that is running Windows Server 2008 R2 as a host in the Branch Office. If the content is not available in the Hosted Cache, it is retrieved from the content server by using the WAN. The Hosted Cache Mode server stores the content locally so that subsequent client computers can benefit from the Hosted cache again. To deploy BranchCache in Hosted Cache mode, you must install and configure content servers in your main office, and install and configure a Hosted Cache server and client computers in your branch office. Note: Forefront TMG SP1 can only be configured to operate in Hosted Cache Mode.

Activating BranchCache on Forefront TMG SP1 BranchCache in Hosted Cache mode can be activated in the Forefront TMG Management console. Navigate to the Firewall policy node and on the Task pane click Configure BranchCache and enable BranchCache in Hosted Cache mode. Figure 1: Configuring BranchCache Hosted Cache authentication The Hosted Cache is trusted by client computers to cache and distribute data that may be under access control to prevent executing and reading the data. To enhance the security, Windows 7 client computers use Transport Layer Security (TLS) when communicating with the Hosted Cache server. To support a TLS connection, Forefront TMG must have a certificate that is trusted by clients and the Extended Key Usage (EKU) must be server authentication. So the next step is to issue a Computer certificate from an internal certification authority (CA) which is trusted by all domain members. For the certificate in this article we are using the MMC on the Forefront TMG Server to request a certificate with the Computer certificate template. The Common Name (CN) of the certificate is the FQDN of the Forefront TMG Server.

Figure 2: Requesting a certificate for BranchCache After the certificate is issued and stored in the certificate store of the local computer, we can use the certificate to encrypt the data transfer from the Hosted Cache. Selected the certificate and if you only want to allow clients from the same Windows domain to access the Hosted Cache, activate the checkbox, as shown in the following picture. Figure 3: Select the certificate for BranchCache

BranchCache in Hosted Mode store the content of the Hosted Cache on the disk of Forefront TMG. I recommend using a dedicated volume or disk for Hosted Cache content and not the default folder. If you use a dedicated volume or disk you can also increase the percentage storage used for the Hosted Cache. The default value is 5 percent and I increased the percentage to 90 percent to keep 10 percent as a reserve. Figure 4: Select the location for BranchCache content and the Percentage of disk space used for Hosted Cache. NIS Inspection and BranchCache The next step is optional but very important in my opinion if you use the Network Inspection System (NIS) feature in Forefront TMG. TMG is a vulnerability-based Intrusion Prevention System (IPS). An IPS should protect your internal network from known and unknown vulnerabilities if TMG is being used directly on the edge of the internal network on the Internet. All network traffic must flow through TMG, so TMG is the first line of defense to protect against different vulnerabilities. TMG NIS IPS features block un/known attacks at the network level to fight against vulnerabilities. TMG uses a signature based IPS. A signature based IPS protects your hosts against exploitation of vulnerabilities which are found. A signature based IPS is used to close the time window between an announcement of vulnerability and the patch deployment of all possible vulnerable hosts. When NIS is enabled all traffic gets inspected, including traffic destined explicitly to the host or originating from the host. As a result, it may be possible that users may experience an increased latency when retrieving objects from the Hosted Cache server. To improve the performance it is possible to disable NIS for traffic from or to the Host to disable NIS for traffic to the host or originating from the host. Attention: Disabling NIS in Forefront TMG decrease the protection mechanism of Forefront

TMG. You will find more information about possible security impacts in the guide for implementing BranchCache with Forefront TMG. You will find a link to this guide at the end of this article. With the following registry key it is possible to disable the NIS traffic inspection of the Localhost: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\IPS\IPS_LO CALHOST_INSPECTION_MODE Set the value to 0. After that you must reapply the Forefront TMG policy. Next we have to change the BranchCache protocols default port numbers (from port 80 and 443) to custom port numbers. By default NIS inspects only HTTP and HTTPS on Localhost traffic. To retain inspection for non-related Branchcache traffic without impacting BranchCache performance it is required that the BranchCache default ports are changed to another available port. Firewall Rules for BranchCache By default, Forefront TMG blocks most traffic that is destined explicitly to the Forefront TMG Server or originating from the TMG Server, so we have to modify the Forefront TMG Firewall rules to allow BranchCache traffic because BranchCache is operating in Hosted Mode on the Forefront TMG Server. A BranchCache client initiates a connection to the Forefront TMG Server with the Hosted Cache Protocol (PCHC Port 443). The Hosted cache Server will initiate a new connection using the Retrieval protocol (PCCRR Port 80) to retrieve the data from the client. After that the data is now cached on the Hosted Cache Server. Another BranchCache client that needs to retrieve data from the Hosted Cache will initiate the Retrieval protocol (PCCRR) and retrieve content from the Hosted Cache. To allow this communication you must define two Forefront TMG policy rules: Allow Hosted Cache Inbound Connections Allow Hosted Cache Outbound Connections Allow Hosted Cache Inbound Connections This Firewall rule allows BranchCache clients to advertise new content to the Hosted Cache Server and retrieve data from the Hosted Cache Server. Allow Hosted Cache Outbound Connections This Firewall rule allows the Hosted Cache Server to retrieve advertised content from the BranchCache client. The actual ports that are used by the BranchCache clients are stored in the Registry of the client. The Registry keys are located here: For the Retrieval port (Default is Port 80) HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\PeerDist\ DownloadManager\Peers\Connection For the Hosted Cache port (Default is 443)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Connection Next we have to create the Firewall rules on Forefront TMG. You will see the Firewall protocol defintions in the following picture. After the new Protocol definitions have been created we must create two new Firewall rules which allows traffic for these protocol definitions from the internal network to the Localhost Network and vice versa. Figure 5: Firewall Protocol rules for BranchCache Figure 6: firewall rules for BranchCache Click Apply to save the configuration changes to the Forefront TMG storage. Monitoring BranchCache There are many ways to monitor the BranchCache efficiency. One way is to use a new monitoring option in the Forefront TMG dashboard as shown in the following picture. Another way is to use the built-in Performance Monitor counters for BranchCache of Windows Server 2008 R2.

Figure 7: Monitoring BranchCache BranchCache Performance Counter Windows Server 2008 R2 comes with a lot of built-in Performance Counters to monitor the efficiency of the BranchCache feature on Forefront TMG. You will need to monitor these Performance Counters from time to time to make changes when the efficiency of the BranchCache doesn t fulfill your needs. To monitor the BranchCache performance start the Windows Server 2008 R2 Performance Monitor and select the BranchCache counters and add the Performance Counters to be monitored. Figure 8: Performance Counters for BranchCache Conclusion

In this article I tried to show you how to configure Microsoft Forefront TMG SP1 as a Hosted Server for BranchCache. With the help of the BranchCache feature you can use Forefront TMG without an additional Server or Server feature to fulfill the requests for Branch Office to get the most updated content directly from the Forefront TMG Server without overloading the WAN link. With the help of Forefront TMG it is easy to implement an integrated BranchCache solution which is also easy to monitor with the built-in Forefront TMG dashboard or the integrated Performance Monitor counters from Windows Server 2008 R2. Related links Planning for BranchCache (SP1) http://technet.microsoft.com/en-us/library/ff685650.aspx Performance Counters http://technet.microsoft.com/en-us/library/dd637826(ws.10).aspx Explaining and configuring NIS (Network Inspection Service) http://www.isaserver.org/tutorials/explaining-configuring-nis-network-inspection- Service.html

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information